PHWinfo - Afficher un message - Only Forward DNS Requests for Specific IPs

28/10/2006, 23h39

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:97DB8995-3766-4F9F-99A7-301176E48EEB@microsoft.com...
> Got it, in current MS DNS, the answer is 'no'. While BIND may support it
> you
> are saying it is not a good idea.

Right and right.

> Thanks for hanging in there with me, I
> appreciate the input.

No problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" wrote:
>
>> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
>> > Thanks again for the response, but I think you are making some
>> > assumptions
>> > about my environment which is only muddying the waters. Thanks for the
>> > input,
>> > I appreciate you trying to work throught his with me, hopefully others
>> > are
>> > benefiting from our exchange as well...
>> >
>> > Let me try explaining again:
>> >
>> > I only want to make my already public (and only public) DNS server that
>> > currently only responds for the zones for which it is authoritative
>> > (i.e.
>> > forwarding is currently off) to forward DNS requests only if the
>> > request
>> > is
>> > originating from an IP that I trust.
>>
>> No.
>>
>> The answer remains "no."
>>
>> With the sole exeption that you can resolve on one/some NIC/IPs,
>> while refusing to resolve requests on other IPs/NICs of the
>> same DNS server.
>>
>> Whatever you will resolve for anyone is going to be resolved
>> for everyone you allow to contact the server at all.
>>
>> (That is, you can use filtering and such to prevent DNS
>> requests but if you resolve anything for them then the
>> DNS server will them with anything/everything that
>> it knows how to do.)
>>
>> There are NO VIEWs (as exist in a BIND server).
>>
>> And yes, I understood your question the first time -- answered
>> it and answered the associated questions, in case those were
>> what you really meant.
>>
>> MS DNS won't do what you ask.
>>
>> (It remains a bad idea but MS DNS won't do it anyway.)
>>
>>
>> > This will effectively create a server
>> > where unknown computers can continue to use my DNS server for name
>> > resolution
>> > of zones for which I am authoritative (same functionality as is setup
>> > right
>> > now) but in addition to that IPs that I trust can use query my DNS
>> > server
>> > for
>> > all zones regardless of whether I am authoritative for that zone or not
>> > effectively allowing them to make use of my server as their primary DNS
>> > server to resolve all internet domains. Make sense?
>>
>> Yes, the question makes perfect sense as it generally did the first
>> time but the answer remains "No, MS DNS won't do that."
>>
>> BIND will. (To at least some useful and interesting extent
>> with "Views", but even the BIND experts generally consider
>> this a very poor design.)
>>
>> And such designs are practically always unnecessary -- you
>> have hit on one of the main reasons (besides security) why
>> most companies should not run their own public DNS servers
>> but put it back at the REGISTRAR.
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>> >
>> > "Herb Martin" wrote:
>> >
>> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
>> >> > Thanks for the input. It is not readily apparent to me how this
>> >> > setup
>> >> > could
>> >> > be insecure, however I agree it could be done better.
>> >>
>> >> In several ways but the simplest to understand is that
>> >> since this DNS is publicly accessible it is much more
>> >> likely to be compromised. IF it serves both roles then
>> >> it will not only compromise your external publishing but
>> >> also could lead to comprimising the internal network.
>> >>
>> >> Security as a layered design is almost always the way to
>> >> think about it.
>> >>
>> >> > While this design may be lacking in certain areas, I will look to
>> >> > clean
>> >> > those up later. I am just trying to see if it is possible using
>> >> > Microsoft
>> >> > DNS
>> >> > for now.
>> >>
>> >> No, (as I said originally) and it is a bad idea even if it were
>> >> possible.
>> >>
>> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the
>> >> > other
>> >> > hand you can pick off a zone of "one name" and thus NOT forward for
>> >> > a
>> >> > small
>> >> > number of specific names...."?
>> >>
>> >> Sure. If you wish a DNS server to hold a zone (i.e., be
>> >> authoritative for that zone) then it will answer ONLY
>> >> from what it knows (about THAT zone) with one exeption:
>> >>
>> >> If you delegate, then the child zone will be resolved
>> >> by the child zone DNS servers (they become authoritative)
>> >>
>> >> But, if you don't want to hold an entire zone but resolve ONE
>> >> specific machine (from that zone) then you can create a "zone"
>> >> (just like any other zone) with the specific machine name* and
>> >> give it an A record with a blank name -- this will override for
>> >> that machine while still allowing this DNS server to NOT take
>> >> control/resposibility for the entire 'real' zone.
>> >>
>> >> *Looks like this:
>> >>
>> >> Assume the real zone is: zone.com
>> >> Assume the machine you wish to override is: server.zone.com
>> >>
>> >> Build a zone with the name "server.zone.com" and give it a "blank"
>> >> ("same as parent") A record.
>> >>
>> >>
>> >> > "Herb Martin" wrote:
>> >> >
>> >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
>> >> >> > Is there a way to setup Microsoft DNS to only forward DNS
>> >> >> > requests
>> >> >> > for
>> >> >> > a
>> >> >> > specific set of IPs?
>> >> >>
>> >> >> Not conveniently. Fowarding is only done by ZONE.
>> >> >> (Even prior to Win2003 which can conditionally forward
>> >> >> by zone as well.)
>> >> >>
>> >> >> On the other hand you can pick off a zone of "one name" and
>> >> >> thus NOT forward for a small number of specific names.
>> >> >>
>> >> >> > I would like to turn forwarding on in my internet DNS server so
>> >> >> > that
>> >> >> > machines in my DMZ can use it for name resolution of zones where
>> >> >> > I
>> >> >> > am
>> >> >> > not
>> >> >> > the
>> >> >> > authority (like microsoft.com). However, I do not want to forward
>> >> >> > DNS
>> >> >> > requests originating from the internet, i.e. I only want internet
>> >> >> > users
>> >> >> > to
>> >> >> > be
>> >> >> > able to use my DNS server to resolve zones for which I am
>> >> >> > authoritative.
>> >> >>
>> >> >> The real problem here is that you are trying to use the same
>> >> >> server for PUBLIC DNS and for private, internal DNS.
>> >> >>
>> >> >> These two jobs should NOT be mixed. It is a bad and insecure
>> >> >> design (even with BIND servers which can accomplish this using
>> >> >> "views").
>> >> >>
>> >> >> You really should move your PUBLIC DNS back to the REGISTRAR
>> >> >> if possible.
>> >> >>
>> >> >> Most small companies have no business running their public DNS
>> >> >> at all.
>> >> >>
>> >>
>> >>
>> >> --
>> >> Herb Martin, MCSE, MVP
>> >> Accelerated MCSE
>> >> http://www.LearnQuick.Com
>> >> [phone number on web site]
>> >>
>> >>
>> >>
>>
>>
>>

28/10/2006, 23h39	#8
Herb Martin Messages: n/a Hébergeur:	Re: Only Forward DNS Requests for Specific IPs "opc3" <opc3@discussions.microsoft.com> wrote in message news:97DB8995-3766-4F9F-99A7-301176E48EEB@microsoft.com... > Got it, in current MS DNS, the answer is 'no'. While BIND may support it > you > are saying it is not a good idea. Right and right. > Thanks for hanging in there with me, I > appreciate the input. No problem. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > > "Herb Martin" wrote: > >> "opc3" <opc3@discussions.microsoft.com> wrote in message >> news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com... >> > Thanks again for the response, but I think you are making some >> > assumptions >> > about my environment which is only muddying the waters. Thanks for the >> > input, >> > I appreciate you trying to work throught his with me, hopefully others >> > are >> > benefiting from our exchange as well... >> > >> > Let me try explaining again: >> > >> > I only want to make my already public (and only public) DNS server that >> > currently only responds for the zones for which it is authoritative >> > (i.e. >> > forwarding is currently off) to forward DNS requests only if the >> > request >> > is >> > originating from an IP that I trust. >> >> No. >> >> The answer remains "no." >> >> With the sole exeption that you can resolve on one/some NIC/IPs, >> while refusing to resolve requests on other IPs/NICs of the >> same DNS server. >> >> Whatever you will resolve for anyone is going to be resolved >> for everyone you allow to contact the server at all. >> >> (That is, you can use filtering and such to prevent DNS >> requests but if you resolve anything for them then the >> DNS server will them with anything/everything that >> it knows how to do.) >> >> There are NO VIEWs (as exist in a BIND server). >> >> And yes, I understood your question the first time -- answered >> it and answered the associated questions, in case those were >> what you really meant. >> >> MS DNS won't do what you ask. >> >> (It remains a bad idea but MS DNS won't do it anyway.) >> >> >> > This will effectively create a server >> > where unknown computers can continue to use my DNS server for name >> > resolution >> > of zones for which I am authoritative (same functionality as is setup >> > right >> > now) but in addition to that IPs that I trust can use query my DNS >> > server >> > for >> > all zones regardless of whether I am authoritative for that zone or not >> > effectively allowing them to make use of my server as their primary DNS >> > server to resolve all internet domains. Make sense? >> >> Yes, the question makes perfect sense as it generally did the first >> time but the answer remains "No, MS DNS won't do that." >> >> BIND will. (To at least some useful and interesting extent >> with "Views", but even the BIND experts generally consider >> this a very poor design.) >> >> And such designs are practically always unnecessary -- you >> have hit on one of the main reasons (besides security) why >> most companies should not run their own public DNS servers >> but put it back at the REGISTRAR. >> >> >> -- >> Herb Martin, MCSE, MVP >> Accelerated MCSE >> http://www.LearnQuick.Com >> [phone number on web site] >> >> > >> > "Herb Martin" wrote: >> > >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message >> >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com... >> >> > Thanks for the input. It is not readily apparent to me how this >> >> > setup >> >> > could >> >> > be insecure, however I agree it could be done better. >> >> >> >> In several ways but the simplest to understand is that >> >> since this DNS is publicly accessible it is much more >> >> likely to be compromised. IF it serves both roles then >> >> it will not only compromise your external publishing but >> >> also could lead to comprimising the internal network. >> >> >> >> Security as a layered design is almost always the way to >> >> think about it. >> >> >> >> > While this design may be lacking in certain areas, I will look to >> >> > clean >> >> > those up later. I am just trying to see if it is possible using >> >> > Microsoft >> >> > DNS >> >> > for now. >> >> >> >> No, (as I said originally) and it is a bad idea even if it were >> >> possible. >> >> >> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the >> >> > other >> >> > hand you can pick off a zone of "one name" and thus NOT forward for >> >> > a >> >> > small >> >> > number of specific names...."? >> >> >> >> Sure. If you wish a DNS server to hold a zone (i.e., be >> >> authoritative for that zone) then it will answer ONLY >> >> from what it knows (about THAT zone) with one exeption: >> >> >> >> If you delegate, then the child zone will be resolved >> >> by the child zone DNS servers (they become authoritative) >> >> >> >> But, if you don't want to hold an entire zone but resolve ONE >> >> specific machine (from that zone) then you can create a "zone" >> >> (just like any other zone) with the specific machine name* and >> >> give it an A record with a blank name -- this will override for >> >> that machine while still allowing this DNS server to NOT take >> >> control/resposibility for the entire 'real' zone. >> >> >> >> *Looks like this: >> >> >> >> Assume the real zone is: zone.com >> >> Assume the machine you wish to override is: server.zone.com >> >> >> >> Build a zone with the name "server.zone.com" and give it a "blank" >> >> ("same as parent") A record. >> >> >> >> >> >> > "Herb Martin" wrote: >> >> > >> >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message >> >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com... >> >> >> > Is there a way to setup Microsoft DNS to only forward DNS >> >> >> > requests >> >> >> > for >> >> >> > a >> >> >> > specific set of IPs? >> >> >> >> >> >> Not conveniently. Fowarding is only done by ZONE. >> >> >> (Even prior to Win2003 which can conditionally forward >> >> >> by zone as well.) >> >> >> >> >> >> On the other hand you can pick off a zone of "one name" and >> >> >> thus NOT forward for a small number of specific names. >> >> >> >> >> >> > I would like to turn forwarding on in my internet DNS server so >> >> >> > that >> >> >> > machines in my DMZ can use it for name resolution of zones where >> >> >> > I >> >> >> > am >> >> >> > not >> >> >> > the >> >> >> > authority (like microsoft.com). However, I do not want to forward >> >> >> > DNS >> >> >> > requests originating from the internet, i.e. I only want internet >> >> >> > users >> >> >> > to >> >> >> > be >> >> >> > able to use my DNS server to resolve zones for which I am >> >> >> > authoritative. >> >> >> >> >> >> The real problem here is that you are trying to use the same >> >> >> server for PUBLIC DNS and for private, internal DNS. >> >> >> >> >> >> These two jobs should NOT be mixed. It is a bad and insecure >> >> >> design (even with BIND servers which can accomplish this using >> >> >> "views"). >> >> >> >> >> >> You really should move your PUBLIC DNS back to the REGISTRAR >> >> >> if possible. >> >> >> >> >> >> Most small companies have no business running their public DNS >> >> >> at all. >> >> >> >> >> >> >> >> >> -- >> >> Herb Martin, MCSE, MVP >> >> Accelerated MCSE >> >> http://www.LearnQuick.Com >> >> [phone number on web site] >> >> >> >> >> >> >> >> >>